Nothing Special   »   [go: up one dir, main page]

CN106603531A - Automatic establishing method of intrusion detection model based on industrial control network and apparatus thereof - Google Patents

Automatic establishing method of intrusion detection model based on industrial control network and apparatus thereof Download PDF

Info

Publication number
CN106603531A
CN106603531A CN201611162117.5A CN201611162117A CN106603531A CN 106603531 A CN106603531 A CN 106603531A CN 201611162117 A CN201611162117 A CN 201611162117A CN 106603531 A CN106603531 A CN 106603531A
Authority
CN
China
Prior art keywords
module
flows
communication behavior
time
intrusion detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201611162117.5A
Other languages
Chinese (zh)
Inventor
曾鹏
尚文利
赵剑明
万明
安攀峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shenyang Institute of Automation of CAS
Original Assignee
Shenyang Institute of Automation of CAS
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shenyang Institute of Automation of CAS filed Critical Shenyang Institute of Automation of CAS
Priority to CN201611162117.5A priority Critical patent/CN106603531A/en
Priority to US15/572,643 priority patent/US20180288084A1/en
Priority to PCT/CN2017/080716 priority patent/WO2018107631A1/en
Publication of CN106603531A publication Critical patent/CN106603531A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/211Selection of the most significant subset of features
    • G06F18/2111Selection of the most significant subset of features by using evolutionary computational techniques, e.g. genetic algorithms
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/211Selection of the most significant subset of features
    • G06F18/2113Selection of the most significant subset of features by ranking or filtering the set of features, e.g. using a measure of variance or of feature cross-correlation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/214Generating training patterns; Bootstrap methods, e.g. bagging or boosting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/21Design or setup of recognition systems or techniques; Extraction of features in feature space; Blind source separation
    • G06F18/217Validation; Performance evaluation; Active pattern learning techniques
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • G06F18/2411Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches based on the proximity to a decision surface, e.g. support vector machines
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Computation (AREA)
  • Physics & Mathematics (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • General Physics & Mathematics (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Evolutionary Biology (AREA)
  • Artificial Intelligence (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Physiology (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Alarm Systems (AREA)

Abstract

The invention discloses an automatic establishing method of an intrusion detection model based on an industrial control network. The method comprises the following steps of determining whether a first intrusion detection model accords with a preset detection requirement, and if the first intrusion detection model does not accord with the preset detection requirement, extracting communication behavior flow data in real time; according to the communication behavior flow data, setting a training data set and a test data set; according to the training data set, creating an initial intrusion detection model; and using the test data set to test the initial intrusion detection model, and according to a test result, creating a second intrusion detection model according with a preset detection requirement. Detection precision of the second intrusion detection model is high so that an intrusion detection rate of abnormal behaviors is increased, and a false alarm rate and a missing report rate are reduced.

Description

A kind of auto-creating method of the IDS Framework based on industrial control network and Device
Technical field
The application is related to a kind of auto-creating method and device of IDS Framework based on industrial control network, belongs to Industrial control network technical field of safety protection.
Background technology
Industrial control system (Industrial Control Systems, hereinafter referred to as ICS) be by computer equipment with The automatic control system of industrial stokehold part composition, it is widely used in the industry such as industry, the energy, traffic, petrochemical industry Basic field.Because ICS is more and more connected with enterprise network and the Internet, an open network environment is defined, because The network safety guard technology of this ICS has great importance for the safe and reliable and stable operation for ensureing ICS.
The network security using Intrusion Detection Technique guarantee ICS main at present.Intrusion detection is that a kind of safety of active is prevented Shield technology, by the communication flows data characteristicses in extraction ICS, and analyzes it, to detect that abnormal behavior is operated, and The operations such as Deviant Behavior generation is intercepted before endangering, reported to the police, system recovery.
In prior art, IDS Framework is set up according to network traffic data, then always using the invasion inspection Surveying model carries out the intrusion detection of Deviant Behavior, and industrial communication is real-time, and the data on flows of communication behavior is also persistently to become Change, therefore the rate of false alarm and rate of failing to report of the intrusion detection of prior art are higher.
The content of the invention
According to the one side of the application, there is provided a kind of IDS Framework based on industrial control network is built automatically Cube method, the accuracy of detection of the IDS Framework that the method is obtained is high, so as to improve the intrusion detection rate of Deviant Behavior, drop Low rate of false alarm and rate of failing to report.
A kind of auto-creating method of the IDS Framework based on industrial control network, including:
Judge whether the first IDS Framework meets default detection and require, if not, extract real-time communication behavior stream Amount data;
Training dataset and test data set are arranged according to the communication behavior data on flows;
Initial IDS Framework is created according to the training dataset;
Tested using initial IDS Framework described in the test data set pair, created according to test result and met The second IDS Framework that default detection is required.
Wherein, the default detection requires to include verification and measurement ratio threshold value, detection time threshold value, rate of false alarm threshold value and/or leakage Report rate threshold value.
Further, after the extract real-time communication behavior data on flows, also include:
Attribute reduction is carried out to the communication behavior data on flows of extract real-time.
The communication behavior data on flows to extract real-time carries out attribute reduction, specially:
Attribute reduction is carried out to the communication behavior data on flows of extract real-time using RST.
According to the one side of the application, there is provided a kind of IDS Framework based on industrial control network is built automatically Vertical device, described device includes:Judge module, extraction module, setup module, the first creation module, the second creation module;
The judge module, requires, if not, touching for judging whether the first IDS Framework meets default detection Send out extraction module described;
The extraction module, for by the judge module triggering after, extract real-time communication behavior data on flows;
The setup module, the communication behavior data on flows for being extracted according to the extraction module arranges training dataset And test data set;
First creation module, the training dataset for being arranged according to the setup module creates initial intrusion detection Model;
Second creation module, for described in the test data set pair that arranges using the setup module first mould is created The initial IDS Framework that block is created is tested, and is created according to test result and is met the second invasion inspection that default detection is required Survey model.
The default detection requires to include verification and measurement ratio threshold value, detection time threshold value, rate of false alarm threshold value and/or rate of failing to report threshold Value.
Further, also including attribute loop module, for the communication behavior flow to the extraction module extract real-time Data carry out attribute reduction;
Accordingly, the setup module, for the communication behavior data on flows according to the attribute loop module after brief Training dataset and test data set are set.
Specifically, the attribute loop module carries out attribute about using RST to the communication flows data characteristicses of extract real-time Letter.
The beneficial effect that the application can be produced includes:
1) the application is by judging whether the first IDS Framework meets default testing conditions, when its do not meet it is default Testing conditions when, extract real-time communication behavior data on flows, according to the communication behavior data on flows of extract real-time arrange train Data set and test data set, create initial IDS Framework, then using at the beginning of test data set pair according to training dataset Beginning IDS Framework is tested, and is created according to test result and is met the second IDS Framework that default detection is required, phase For the prior art performed intrusion detection using the first fixed IDS Framework, the embodiment of the present invention obtain the The accuracy of detection of two IDS Frameworks is high, so as to improve the intrusion detection rate of Deviant Behavior, reduces rate of false alarm and fails to report Rate;
2) further, the application carries out attribute reduction using RST to the communication behavior data on flows of extract real-time, reduces The complexity of the second IDS Framework, further increases the accuracy of detection of the second IDS Framework, has saved detection Time.
Description of the drawings
Fig. 1 is a kind of auto-creating method schematic flow sheet of the IDS Framework based on industrial control network;
Fig. 2 is that a kind of IDS Framework based on industrial control network sets up apparatus structure schematic diagram automatically.
Specific embodiment
With reference to embodiment in detail the application is described in detail, but the application is not limited to these embodiments.
Embodiment 1
Referring to Fig. 1, a kind of building automatically for IDS Framework based on industrial control network is embodiments provided Cube method, the method includes:
101st, judge whether the first IDS Framework meets default detection and require, if not, execution step 102;
Specifically, default detection requires to include verification and measurement ratio threshold value, detection time threshold value, rate of false alarm threshold value and rate of failing to report threshold One or more in the parameters such as value, can choose according to practical situation, and the embodiment of the present invention is not specifically limited to this.
102nd, extract real-time communication behavior data on flows;
The communication behavior data on flows of extract real-time is probably proper communication behavior data on flows in the embodiment of the present invention, Possibly including the communication behavior data on flows of abnormal aggression behavior.
Deviant Behavior includes illegal connection, unauthorized access, distorts or destroys data etc. various broken in the embodiment of the present invention Bad behavior.
103rd, training dataset and test data set are arranged according to communication behavior data on flows;
104th, initial IDS Framework is created according to above-mentioned training dataset;
105th, tested using the above-mentioned initial IDS Framework of test data set pair, created according to test result and met The second IDS Framework that default detection is required.
In prior art, the intrusion detection of Deviant Behavior is carried out using fixed the first IDS Framework set up, due to Industrial communication is that occur in real time, its communication behavior data on flows also persistently changing, therefore using the first fixed invasion inspection Survey model to perform intrusion detection so that accuracy of detection is not high, it is impossible to meet the requirement of real-time of industrial communication.And the present invention is implemented In example, first determine whether whether the first IDS Framework meets default detection and require, when the first IDS Framework does not meet When default detection is required, then extract real-time communication behavior data on flows is created again according to these communication behavior datas on flows Initial IDS Framework is built, the initial IDS Framework is modified, obtained meeting presetting and detect that require second enters Detection model is invaded, using second IDS Framework intrusion detection of Deviant Behavior is carried out, substantially increase intrusion detection rate, Reduce intrusion detection rate of false alarm and rate of failing to report.
Further, after step 102, also include:
Attribute reduction is carried out to the communication behavior data on flows of extract real-time.
Specifically, the communication based on rough set theory (Rough Sets Theory, hereinafter referred to as RST) to extract real-time Data on flows feature carries out attribute reduction.
More specifically, the communication flows number using the decision table of the PawLak Attribute Significances based on RST to extract real-time Attribute reduction is carried out according to feature.
In intruding detection system, communication behavior data on flows amount is huge, and attribute is numerous, and a portion attribute is to invasion Testing result effect is little, in addition a part of attribute be to intrusion detection result it is useless, so can be to the invasion of Deviant Behavior Testing result is misled, and not only reduces the intrusion detection rate of Deviant Behavior, while it is real-time also to have impact on industrial control network Property communication requirement.
RST is applied to process ambiquity and a kind of probabilistic mathematical tool, is mainly used in from incomplete data set Middle discovery mode and rule, RST is now widely used for the fields such as chemical industry, medical diagnosiss, process control, commercial economy.
The embodiment of the present invention by RST first Applications in the present invention, using communication behavior flow numbers of the RST to extract real-time According to attribute reduction is carried out, useless attribute is separated, detection process is concentrated on critical data attribute, greatly reduce into The complexity of detection model is invaded, the accuracy of detection of IDS Framework is improve, detection time, but the embodiment of the present invention has been saved It is also not necessarily limited to carry out attribute loop using RST, genetic algorithm, the dynamic brief mode such as brief of attribute loop effect can be reached Can be with.
The embodiment of the present invention passes through to judge whether the first IDS Framework meets default testing conditions, when it does not meet During default testing conditions, extract real-time communication behavior data on flows is arranged according to the communication behavior data on flows of extract real-time Training dataset and test data set, create initial IDS Framework, then using test data set according to training dataset Initial IDS Framework is tested, is created according to test result and is met the second intrusion detection mould that default detection is required Type, for the prior art performed intrusion detection using the first fixed IDS Framework, the embodiment of the present invention is obtained The accuracy of detection of the second IDS Framework for arriving is high, so as to improve the intrusion detection rate of Deviant Behavior, reduces rate of false alarm And rate of failing to report;Further, the embodiment of the present invention carries out attribute about using RST to the communication behavior data on flows of extract real-time Letter, reduces the complexity of the second IDS Framework, further increases the accuracy of detection of the second IDS Framework, saves Detection time.
Referring to Fig. 2, a kind of building automatically for IDS Framework based on industrial control network is embodiments provided Vertical device, the device includes:Judge module 21, extraction module 22, setup module 23, the first creation module 24, second creates mould Block 25;
Wherein, judge module 21, require for judging whether the first IDS Framework meets default detection, if It is no, trigger extraction module 22;
Specifically, default detection requires to include verification and measurement ratio threshold value, detection time threshold value, rate of false alarm threshold value and rate of failing to report threshold One or more in the parameters such as value, can choose according to practical situation, and the embodiment of the present invention is not specifically limited to this.
Extraction module 22, for by judge module 21 triggering after, extract real-time communication behavior data on flows;
The communication behavior data on flows of extract real-time is probably proper communication behavior data on flows in the embodiment of the present invention, also Possibly including the communication behavior data on flows of abnormal aggression behavior.
Setup module 23, the communication behavior data on flows for being extracted according to extraction module 22 arranges training dataset and survey Examination data set;
First creation module 24, the training dataset for being arranged according to setup module 23 creates initial intrusion detection mould Type;
Second creation module 25, the first creation module of test data set pair 24 for being arranged using setup module 23 is created Initial IDS Framework tested, created according to test result and meet the second intrusion detection mould that default detection is required Type.
Further, the embodiment of the present invention also includes attribute loop module, for leading to the extract real-time of extraction module 22 Letter behavior data on flows carries out attribute reduction;
Accordingly, setup module 23, for the communication behavior data on flows according to attribute loop module after brief instruction is arranged Practice data set and test data set.
Specifically, communication of the attribute loop module using the decision table of the PawLak Attribute Significances of RST to extract real-time Data on flows feature carries out attribute reduction.
The embodiment of the present invention passes through to judge whether the first IDS Framework meets default testing conditions, when it does not meet During default testing conditions, extract real-time communication behavior data on flows is arranged according to the communication behavior data on flows of extract real-time Training dataset and test data set, create initial IDS Framework, then using test data set according to training dataset Initial IDS Framework is tested, is created according to test result and is met the second intrusion detection mould that default detection is required Type, for the prior art performed intrusion detection using the first fixed IDS Framework, the embodiment of the present invention is obtained The accuracy of detection of the second IDS Framework for arriving is high, so as to improve the intrusion detection rate of Deviant Behavior, reduces rate of false alarm And rate of failing to report;Further, the embodiment of the present invention carries out attribute about using RST to the communication behavior data on flows of extract real-time Letter, reduces the complexity of the second IDS Framework, further increases the accuracy of detection of the second IDS Framework, saves Detection time.
The above, is only several embodiments of the application, any type of restriction is not done to the application, although this Shen Please disclosed as above with preferred embodiment, but and be not used to limit the application, any those skilled in the art are not taking off In the range of technical scheme, make a little variation using the technology contents of the disclosure above or modification is equal to Effect case study on implementation, belongs in the range of technical scheme.

Claims (8)

1. a kind of auto-creating method of the IDS Framework based on industrial control network, it is characterised in that include:
Judge whether the first IDS Framework meets default detection and require, if not, extract real-time communication behavior flow number According to;
Training dataset and test data set are set up according to the communication behavior data on flows;
Initial IDS Framework is created according to the training dataset;
Tested using initial IDS Framework described in the test data set pair, created according to test result and meet default The second IDS Framework that detection is required.
2. method according to claim 1, it is characterised in that the default detection requires to include verification and measurement ratio threshold value, inspection Survey time threshold, rate of false alarm threshold value and/or rate of failing to report threshold value.
3. method according to claim 1 and 2, it is characterised in that after the extract real-time communication behavior data on flows, Also include:
Attribute reduction is carried out to the communication behavior data on flows of extract real-time.
4. method according to claim 3, it is characterised in that the communication behavior data on flows to extract real-time is carried out Attribute reduction, specially:
Attribute reduction is carried out to the communication behavior data on flows of extract real-time using RST.
5. a kind of IDS Framework based on industrial control network sets up device automatically, it is characterised in that described device bag Include:Judge module, extraction module, setup module, the first creation module, the second creation module;
The judge module, requires, if not, triggering institute for judging whether the first IDS Framework meets default detection State extraction module;
The extraction module, for by the judge module triggering after, extract real-time communication behavior data on flows;
The setup module, the communication behavior data on flows for being extracted according to the extraction module arranges training dataset and survey Examination data set;
First creation module, the training dataset for being arranged according to the setup module creates initial intrusion detection mould Type;
Second creation module, for the first creation module wound described in the test data set pair that arranged using the setup module The initial IDS Framework built is tested, and is created according to test result and is met the second intrusion detection mould that default detection is required Type.
6. device according to claim 5, it is characterised in that the default detection requires to include verification and measurement ratio threshold value, inspection Survey time threshold, rate of false alarm threshold value and/or rate of failing to report threshold value.
7. the device according to claim 5 or 6, it is characterised in that also including attribute loop module, for the extraction The communication behavior data on flows of module extract real-time carries out attribute reduction;
Accordingly, the setup module, is arranged for the communication behavior data on flows according to the attribute loop module after brief Training dataset and test data set.
8. device according to claim 7, it is characterised in that the attribute loop module is using RST to extract real-time Communication flows data characteristicses carry out attribute reduction.
CN201611162117.5A 2016-12-15 2016-12-15 Automatic establishing method of intrusion detection model based on industrial control network and apparatus thereof Pending CN106603531A (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
CN201611162117.5A CN106603531A (en) 2016-12-15 2016-12-15 Automatic establishing method of intrusion detection model based on industrial control network and apparatus thereof
US15/572,643 US20180288084A1 (en) 2016-12-15 2017-04-17 Method and device for automatically establishing intrusion detection model based on industrial control network
PCT/CN2017/080716 WO2018107631A1 (en) 2016-12-15 2017-04-17 Automatic establishing method and apparatus for intrusion detection model based on industrial control network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201611162117.5A CN106603531A (en) 2016-12-15 2016-12-15 Automatic establishing method of intrusion detection model based on industrial control network and apparatus thereof

Publications (1)

Publication Number Publication Date
CN106603531A true CN106603531A (en) 2017-04-26

Family

ID=58802867

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201611162117.5A Pending CN106603531A (en) 2016-12-15 2016-12-15 Automatic establishing method of intrusion detection model based on industrial control network and apparatus thereof

Country Status (3)

Country Link
US (1) US20180288084A1 (en)
CN (1) CN106603531A (en)
WO (1) WO2018107631A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070943A (en) * 2017-05-05 2017-08-18 兰州理工大学 Industry internet intrusion detection method based on traffic characteristic figure and perception Hash
CN107948149A (en) * 2017-11-21 2018-04-20 杭州安恒信息技术有限公司 Tactful self study and optimization method and device based on random forest
CN108375972A (en) * 2018-03-21 2018-08-07 北京科技大学 A kind of industry control intrusion detection adaptive optimization method and device
WO2018218537A1 (en) * 2017-05-31 2018-12-06 西门子公司 Industrial control system and network security monitoring method therefor
CN111262750A (en) * 2020-01-09 2020-06-09 中国银联股份有限公司 Method and system for evaluating baseline model
CN111600863A (en) * 2020-05-08 2020-08-28 杭州安恒信息技术股份有限公司 Network intrusion detection method, device, system and storage medium
CN112187730A (en) * 2020-09-08 2021-01-05 华东师范大学 Intrusion detection system
CN114489025A (en) * 2022-02-14 2022-05-13 上海交通大学宁波人工智能研究院 Model-driven industrial control system safety protection method

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10764318B1 (en) * 2017-11-30 2020-09-01 United States Automobile Association (USAA) Detection failure monitoring system
CN110365678B (en) * 2019-07-15 2021-10-22 北京工业大学 Industrial control network protocol vulnerability mining method based on anti-sample
CN110784455B (en) * 2019-10-16 2021-09-07 国网湖北省电力有限公司电力科学研究院 Method for optimizing Xgboost model based on linear decreasing weight particle swarm algorithm
CN110809009A (en) * 2019-12-12 2020-02-18 江苏亨通工控安全研究院有限公司 Two-stage intrusion detection system applied to industrial control network
CN112788047A (en) * 2020-07-14 2021-05-11 袁媛 Network traffic anomaly detection method based on industrial Internet and big data platform
CN111833557A (en) * 2020-07-27 2020-10-27 中国工商银行股份有限公司 Fault identification method and device
CN112348202B (en) * 2021-01-05 2021-03-30 博智安全科技股份有限公司 Method for establishing rule model in machine learning
CN113190840B (en) * 2021-04-01 2022-06-14 华中科技大学 Industrial control system intrusion detection system and method based on DCGAN under edge cloud cooperation
CN113542276B (en) * 2021-07-16 2023-01-24 江苏商贸职业学院 Method and system for detecting intrusion target of hybrid network
CN114697081B (en) * 2022-02-28 2024-05-07 国网江苏省电力有限公司淮安供电分公司 Intrusion detection method and system based on IEC61850 SV message running situation model

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778479A (en) * 2014-01-10 2014-05-07 国网上海市电力公司 Adaptive information fault-tolerant protection method
CN104378371A (en) * 2014-11-14 2015-02-25 浙江工业大学 Network intrusion detection method for parallel AP cluster based on MapReduce
CN104935600A (en) * 2015-06-19 2015-09-23 中国电子科技集团公司第五十四研究所 Mobile ad hoc network intrusion detection method and device based on deep learning

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AU2001277932A1 (en) * 2000-07-21 2002-02-05 Ohio University System and method for identifying an object
US9525696B2 (en) * 2000-09-25 2016-12-20 Blue Coat Systems, Inc. Systems and methods for processing data flows
US7424619B1 (en) * 2001-10-11 2008-09-09 The Trustees Of Columbia University In The City Of New York System and methods for anomaly detection and adaptive learning
US7941382B2 (en) * 2007-10-12 2011-05-10 Microsoft Corporation Method of classifying and active learning that ranks entries based on multiple scores, presents entries to human analysts, and detects and/or prevents malicious behavior
US8762298B1 (en) * 2011-01-05 2014-06-24 Narus, Inc. Machine learning based botnet detection using real-time connectivity graph based traffic features
NL2007180C2 (en) * 2011-07-26 2013-01-29 Security Matters B V Method and system for classifying a protocol message in a data communication network.
CN106060008B (en) * 2016-05-10 2019-11-19 中国人民解放军61599部队计算所 A kind of network intrusions method for detecting abnormality
US10733530B2 (en) * 2016-12-08 2020-08-04 Resurgo, Llc Machine learning model evaluation in cyber defense

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103778479A (en) * 2014-01-10 2014-05-07 国网上海市电力公司 Adaptive information fault-tolerant protection method
CN104378371A (en) * 2014-11-14 2015-02-25 浙江工业大学 Network intrusion detection method for parallel AP cluster based on MapReduce
CN104935600A (en) * 2015-06-19 2015-09-23 中国电子科技集团公司第五十四研究所 Mobile ad hoc network intrusion detection method and device based on deep learning

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107070943A (en) * 2017-05-05 2017-08-18 兰州理工大学 Industry internet intrusion detection method based on traffic characteristic figure and perception Hash
CN107070943B (en) * 2017-05-05 2020-02-07 兰州理工大学 Industrial internet intrusion detection method based on flow characteristic diagram and perceptual hash
WO2018218537A1 (en) * 2017-05-31 2018-12-06 西门子公司 Industrial control system and network security monitoring method therefor
US11747799B2 (en) 2017-05-31 2023-09-05 Siemens Aktiengesellschaft Industrial control system and network security monitoring method therefor
CN107948149A (en) * 2017-11-21 2018-04-20 杭州安恒信息技术有限公司 Tactful self study and optimization method and device based on random forest
CN108375972A (en) * 2018-03-21 2018-08-07 北京科技大学 A kind of industry control intrusion detection adaptive optimization method and device
CN108375972B (en) * 2018-03-21 2020-04-28 北京科技大学 Industrial control intrusion detection self-adaptive optimization method and device
CN111262750A (en) * 2020-01-09 2020-06-09 中国银联股份有限公司 Method and system for evaluating baseline model
CN111600863A (en) * 2020-05-08 2020-08-28 杭州安恒信息技术股份有限公司 Network intrusion detection method, device, system and storage medium
CN112187730A (en) * 2020-09-08 2021-01-05 华东师范大学 Intrusion detection system
CN114489025A (en) * 2022-02-14 2022-05-13 上海交通大学宁波人工智能研究院 Model-driven industrial control system safety protection method
CN114489025B (en) * 2022-02-14 2023-07-04 上海交通大学宁波人工智能研究院 Model-driven industrial control system safety protection method

Also Published As

Publication number Publication date
WO2018107631A1 (en) 2018-06-21
US20180288084A1 (en) 2018-10-04

Similar Documents

Publication Publication Date Title
CN106603531A (en) Automatic establishing method of intrusion detection model based on industrial control network and apparatus thereof
CN105704103B (en) Modbus TCP communication behavior abnormity detection method based on OCSVM double-contour model
CN104899513B (en) A kind of datagram detection method of industrial control system malicious data attack
Hadi et al. Performance analysis of big data intrusion detection system over random forest algorithm
CN103748853A (en) Method and system for classifying a protocol message in a data communication network
CN105100122A (en) Threat detection and alert method and system based on big data analysis
CN103888282A (en) Network intrusion alarm method and system based on nuclear power plant
CN109376537A (en) A kind of assets methods of marking and system based on multiple-factor fusion
CN116016198B (en) Industrial control network topology security assessment method and device and computer equipment
Bargamon et al. Advanced ransomware detection through dynamic anomaly pattern discrimination
CN107426203A (en) Weak passwurd detecting system and implementation method and WEB platform
CN112600828B (en) Attack detection and protection method and device for power control system based on data message
CN108509796B (en) Method for detecting risk and server
CN104966019B (en) A kind of heuristic document threat detection method and system
CN103825875A (en) Virtual machine detection method for vaccine inoculation strategy
CN104796421A (en) Multimedia network intrusion detecting method
CN116389148A (en) Network security situation prediction system based on artificial intelligence
CN113079148B (en) Industrial Internet safety monitoring method, device, equipment and storage medium
Yu et al. Mining anomaly communication patterns for industrial control systems
Gupta et al. Convolution neural network (CNN) based phishing attack detection model for e-business in enterprise information systems
CN101968768B (en) Defect-based software security test requirement acquisition and classification method
Liu et al. AI electronic products information security research
CN112511568A (en) Correlation analysis method, device and storage medium for network security event
CN117951714B (en) Driving system for remote operation and maintenance of bottom layer of computer
CN103825877A (en) Integration immunization virtual machine detection method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20170426

RJ01 Rejection of invention patent application after publication